57 lines
1.7 KiB
Diff
57 lines
1.7 KiB
Diff
From: Andy Lutomirski <luto@amacapital.net>
|
|
Date: Mon, 23 Jun 2014 14:22:15 -0700
|
|
Subject: x86_32, entry: Do syscall exit work on badsys (CVE-2014-4508)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
Origin: https://git.kernel.org/linus/554086d85e71f30abe46fc014fea31929a7c6a8a
|
|
|
|
The bad syscall nr paths are their own incomprehensible route
|
|
through the entry control flow. Rearrange them to work just like
|
|
syscalls that return -ENOSYS.
|
|
|
|
This fixes an OOPS in the audit code when fast-path auditing is
|
|
enabled and sysenter gets a bad syscall nr (CVE-2014-4508).
|
|
|
|
This has probably been broken since Linux 2.6.27:
|
|
af0575bba0 i386 syscall audit fast-path
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Cc: Roland McGrath <roland@redhat.com>
|
|
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
|
|
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
|
Link: http://lkml.kernel.org/r/e09c499eade6fc321266dd6b54da7beb28d6991c.1403558229.git.luto@amacapital.net
|
|
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
|
|
---
|
|
arch/x86/kernel/entry_32.S | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
--- a/arch/x86/kernel/entry_32.S
|
|
+++ b/arch/x86/kernel/entry_32.S
|
|
@@ -431,9 +431,10 @@ sysenter_past_esp:
|
|
jnz sysenter_audit
|
|
sysenter_do_call:
|
|
cmpl $(NR_syscalls), %eax
|
|
- jae syscall_badsys
|
|
+ jae sysenter_badsys
|
|
call *sys_call_table(,%eax,4)
|
|
movl %eax,PT_EAX(%esp)
|
|
+sysenter_after_call:
|
|
LOCKDEP_SYS_EXIT
|
|
DISABLE_INTERRUPTS(CLBR_ANY)
|
|
TRACE_IRQS_OFF
|
|
@@ -688,7 +689,12 @@ END(syscall_fault)
|
|
|
|
syscall_badsys:
|
|
movl $-ENOSYS,PT_EAX(%esp)
|
|
- jmp resume_userspace
|
|
+ jmp syscall_exit
|
|
+END(syscall_badsys)
|
|
+
|
|
+sysenter_badsys:
|
|
+ movl $-ENOSYS,PT_EAX(%esp)
|
|
+ jmp sysenter_after_call
|
|
END(syscall_badsys)
|
|
CFI_ENDPROC
|
|
/*
|